Re: potential security hole(s) in 1.71

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: T. William Wells
CC: exim-users
Sujet: Re: potential security hole(s) in 1.71
On Wed, 17 Sep 1997, T. William Wells wrote:

>      1) exim believes gethostbyaddr. Nonetheless, it is entirely
>    possible to spoof one's reverse address records.


That is why it is best to do your host blocking, etc. by IP number, or
by non-wild name, which is then looked up with a forward lookup.

For an entirely different reason I had decided that gethostbyaddr would
have to be changed. The reason is that you can't distinguish between
"unknown address" and "DNS lookup timed out". I will have to change to
doing an explicit DNS lookup, I suppose.

>      2) exim copies, using strcpy, the results of gethostbyaddr,
>    in at least one place. An immediate attack method is to
>    create a long HELO line and a tailored DNS record to
>    create overruns.


I can't find this code. There is only one call to gethostbyaddr() in
exim (well, some different versions for IPv4 and IPv6), and afterwards,
the code (version 1.71) reads

/* Copy and lowercase the name */

s = (char *)hosts->h_name;
t = yield = store_malloc((int)strlen(s) + 1);
while (*s != 0) *t++ = tolower(*s++);
*t = 0;
DEBUG(2) debug_printf("host_find_by_addr yields %s\n", yield);
return yield;

Please give more detail as to where you found this strcpy(). Thanks.

Philip

-- 
Philip Hazel                   University Computing Service,
ph10@???             New Museums Site, Cambridge CB2 3QG,
P.Hazel@???          England.  Phone: +44 1223 334714



--
* This is sent by the exim-users mailing list.  To unsubscribe send a
    mail with subject "unsubscribe" to exim-users-request@???
* Exim information can be found at http://www.exim.org/